Docstoc

PowerPoint Presentation - Microsoft

Document Sample
PowerPoint Presentation - Microsoft Powered By Docstoc
					Securing the Perimeter


        Thomas Lee
     Chief Technologist
             QA

    thomas.lee@qa.com




                          1
Continuing from Yesterday
 Scripting IPSec

 NAT-T




                            2
Scripting IPSec
 netsh ipsec is the starting point




                                      3
NAT Traversal-the problem
 NAT device cannot update IPSec auth-data
   • Hash includes IP address of source
   • When natted, the recepient will get data from a ‘different’ IP
     address

 IKE ports can not be changed (UDP 500)

 See http://tinyurl.com/2j99q for more information about
  NAT issues




                                                                      4
NAT-T Changes
 UDP encapsulation for ESP
    • A UDP header is placed between the outer IP header and the ESP
      header, encapsulating the ESP PDU. The same ports that are used for
      IKE are used for UDP-encapsulated ESP traffic.

 A modified IKE header format
    • The IPSec NAT-T IKE header contains a new Non-ESP Marker field that
      allows a recipient to distinguish between a UDP-encapsulated ESP PDU
      and an IKE message. IPSec NAT-T-capable peers begin to use the new
      IKE header after they have determined that there is an intermediate
      NAT.

 A new NAT-Keepalive packet
    • A UDP message that uses the same ports as IKE traffic, contains a
      single byte (0xFF) and is used to refresh the UDP port mapping in a
      NAT for IKE and UDP-encapsulated ESP traffic to a private network
      host.•

 A new Vendor ID IKE payload
    • This new payload contains a well-known hash value, which indicates
      that the peer is capable of performing IPSec NAT-T.•                   5
NAT-T (continued)
 A new NAT-Discovery (NAT-D) IKE payload
   • This new payload contains a hash value that incorporates an address
     and port number. An IPSec peer includes two NAT-Discovery payloads
     during Main Mode negotiation—one for the destination address and
     port and one for the source address and port. The recipient uses the
     NAT-Discovery payloads to discover whether a NAT translated
     addresses or port numbers, and, based on which addresses and ports
     were changed, which peers are located behind NATs.•

 New encapsulation modes for UDP-encapsulated ESP transport
  mode and tunnel mode
   • These two new encapsulation modes are specified during Quick Mode
     negotiation to inform the IPSec peer that UDP encapsulation for ESP
     PDUs should be used.•

 A new NAT-Original Address (NAT-OA) IKE payload
   • This new payload contains the original (untranslated) address of the
     IPSec peer. For UDP-encapsulated ESP transport mode, each peer
     sends the NAT-OA IKE payload during Quick Mode negotiation. The
     recipient stores this address in the parameters for the SA
                                                                            6
NAT/IPSec – more Info
 IKE Negotiation for IPSec Security Associations
   • http://www.microsoft.com/technet/community/columns/cablegu
     y/cg0602.mspx

 Windows 2000 IPSec Web Site
   • http://www.microsoft.com/windows2000/technologies/communi
     cations/ipsec/default.asp

 L2TP/IPSec NAT-T Update for Windows XP and Windows
  2000
   • http://support.microsoft.com/default.aspx?scid=kb;en-
     us;818043



                                                                  7
Agenda
 Introduction

 What is the Perimeter?

 Securing with …
   • Using Microsoft Internet Security and Acceleration (ISA) Server
     to Protect Perimeters
   • Using Internet Connection Firewall (ICF) to Protect Clients
   • Protecting Wireless Networks
   • Protecting Communications by Using IPSec




                                                                       8
Defense in Depth
 A layered approach
   • Increases an attacker’s risk of detection
   • Reduces an attacker’s chance of success



                Data                   ACL, encryption

             Application               Application hardening, antivirus
                                       OS hardening, update management,
                Host
                                       authentication, HIDS
          Internal Network             Network segments, IPSec, NIDS

             Perimeter                 Firewalls, VPN quarantine

          Physical Security            Guards, locks, tracking devices
       Policies, Procedures, &
              Awareness                User education
                                                                          9
Agenda
 Introduction

 What is the perimeter?

 Securing the perimeter with …
   • Using Microsoft Internet Security and Acceleration (ISA) Server
     to Protect Perimeters
   • Using Internet Connection Firewall (ICF) to Protect Clients
   • Protecting Wireless Networks
   • Protecting Communications by Using IPSec




                                                                       10
Perimeter Connections Overview

        Business Partner                        Main Office



          LAN                                                 LAN



                             Internet

Network perimeter includes
                                                Branch Office
connections to:
 The Internet
                                  Remote User    Wireless
 Branch offices                                 Network
 Business partners
                                                                    LAN
 Remote users
 Wireless networks
 Internet applications
                                                                          11
 Defending The Perimeter

 Properly configured firewalls and border routers are the cornerstone
  for perimeter security
 The Internet and mobility increase security risks
 VPNs/ wireless networking soften the perimeter
 Traditional packet-filtering firewalls block only network ports and
  computer addresses
 Most modern attacks occur at the application layer
 Perimeter security useless if breech is from the inside




                                                                         12
 Defending at the Client


 The client is part of the perimeter too!

 Client defenses block attacks that bypass perimeter defenses or originate on
  the internal network

 Client defenses include, among others:
     Operating system hardening
     Antivirus software
     Personal firewalls

 Client defenses require configuring many computers

 In unmanaged environments, users may bypass client defenses




                                                                                 13
 What About Intrusion Detection?


 Detects the pattern of common attacks, records
  suspicious traffic in event logs, and/or alerts
  administrators

 Threats and vulnerabilities are constantly evolving, which
  leaves systems vulnerable until a new attack is known
  and a new signature is created and distributed

 Is ID really helpful?




                                                               14
Agenda
 Introduction

 What is the perimeter?

 Securing the perimeter with …
   • Using Microsoft Internet Security and Acceleration (ISA) Server
     to Protect Perimeters
   • Using Internet Connection Firewall (ICF) to Protect Clients
   • Protecting Wireless Networks
   • Protecting Communications by Using IPSec




                                                                       15
Firewall Design: Three-Homed


 Internet                       DMZ




            Firewall



                               LAN
                                      16
Firewall Design: Back-to-Back


 Internet                         DMZ




            External
            Firewall
                       Internal     LAN
                       Firewall



                                          17
What Firewalls Do NOT Protect Against


 Malicious traffic that is passed on open ports and not inspected at
  the application layer by the firewall

 Any traffic that passes through an encrypted tunnel or session

 Attacks after a network has been penetrated

 Traffic that appears legitimate

 Users and administrators who intentionally or accidentally install
  viruses

 Administrators who use weak passwords


                                                                        18
Software vs. Hardware Firewalls

    Decision Factors                                    Description

                        Updating for latest vulnerabilities and patches is often easier with
  Flexibility
                        software-based firewalls.

  Extensibility         Many hardware firewalls allow only limited customizability.

                        Software firewalls allow you to choose from hardware for a wide variety of
  Choice of Vendors
                        needs, and there is no reliance on single vendor for additional hardware.
                        Initial purchase price for hardware firewalls might be less. Software
  Cost                  firewalls take advantage of low CPU costs. The hardware can be easily
                        upgraded, and old hardware can be repurposed.
  Complexity            Hardware firewalls are often less complex.
                        The most important decision factor is whether a firewall can perform the
  Overall Suitability   required tasks. Often the lines between hardware and software firewalls
                        are blurred.




                                                                                                     19
Types of Firewall Functions

  Packet Filtering

  Stateful Inspection

  Application-Layer Inspection




                         Internet




                                       Multi-layer Inspection
                              (Including Application-Layer Filtering)

                                                                        20
Protecting Perimeters
 ISA Server has full screening capabilities:
   • Packet filtering
   • Stateful inspection
   • Application-level inspection

 ISA Server blocks all network traffic unless you allow it

 ISA Server provides secure VPN connectivity

 ISA Server is ICSA certified and Common Criteria
  certified



                                                              21
     Demonstration 1
Application-Layer Inspection in
          ISA Server
        Web Publishing




                                  22
Traffic That Bypasses Firewall Inspection


 SSL tunnels through traditional firewalls because it is encrypted,
  which allows viruses and worms to pass through undetected and
  infect internal servers

 VPN traffic is encrypted and cannot be inspected

 Instant Messenger (IM) traffic often is not inspected and might be
  used to transfer files




                                                                       23
Inspecting All Traffic


 Use intrusion detection and other mechanisms to inspect VPN
  traffic after it has been decrypted
    • Remember: Defense in Depth

 Use a firewall that can inspect SSL traffic

 Expand inspection capabilities of your firewall
    • Use firewall add-ons to inspect IM traffic




                                                                24
SSL Inspection


 SSL tunnels through traditional firewalls because it is encrypted,
  which allows viruses and worms to pass through undetected and
  infect internal servers.

 ISA Server can decrypt and inspect SSL traffic. Inspected traffic
  can be sent to the internal server
  re-encrypted or in the clear.




                                                                       25
   Demonstration 2


SSL Inspection in ISA Server




                               26
ISA Server Hardening


    Harden the network stack

    Disable unnecessary network protocols on the external network
     interface:
      •   Client for Microsoft Networks
      •   File and Printer Sharing for Microsoft Networks
      •   NetBIOS over TCP/IP




                                                                     27
Best Practices


    Use access rules that only allow requests that are
     specifically allowed

    Use ISA Server’s authentication capabilities to
     restrict and log Internet access

    Configure Web publishing rules only for specific
     destination sets

    Use SSL Inspection to inspect encrypted data that
     is entering your network


                                                          28
Agenda
 Introduction

 What is the Perimeter?

 Securing with …
   • Using Microsoft Internet Security and Acceleration (ISA) Server
     to Protect Perimeters
   • Using Internet Connection Firewall (ICF) to Protect Clients
   • Protecting Wireless Networks
   • Protecting Communications by Using IPSec




                                                                       29
Overview of ICF

                    Internet Connection Firewall in Microsoft
   What It Is
                     Windows XP and Microsoft Windows Server 2003



                    Helps stop network-based attacks, such as
  What It Does
                     Blaster, by blocking all unsolicited inbound traffic



                    Ports can be opened for services running on the
                     computer

  Key Features      Enterprise administration through Group Policy




                                                                            30
Enabling ICF


    Enabled by:
     •   Selecting one
         check box
     •   Network Setup Wizard
     •   New Connection Wizard

    Enabled separately
     for each network connection




                                   31
ICF Advanced Settings
    Network services

    Web-based applications




                              32
ICF Security Logging
    Logging options

    Log file options




                        33
ICF in the Enterprise
 Configure ICF by using Group Policy

 Combine ICF with Network Access Quarantine Control




                                                       34
Best Practices

 Use ICF for home offices and small business to provide protection for
  computers directly connected to the Internet
 Do not turn on ICF for a VPN connection (but do enable ICF for the
  underlying LAN or dial-up connection
 Configure service definitions for each ICF connection through which
  you want the service to work
 Set the size of the security log to 16 megabytes to prevent an overflow
  that might be caused by denial-of-service attacks




                                                                        35
      Demonstration 3
Internet Connection Firewall (ICF)
     Configuring ICF Manually
           Testing ICF
     Reviewing ICF Log Files
Configuring Group Policy Settings




                                     36
Agenda
 Introduction

 What is the Perimeter?

 Securing with …
   • Using Microsoft Internet Security and Acceleration (ISA) Server
     to Protect Perimeters
   • Using Internet Connection Firewall (ICF) to Protect Clients
   • Protecting Wireless Networks
   • Protecting Communications by Using IPSec




                                                                       37
Wireless Security Issues

    Limitations of Wired Equivalent Privacy (WEP)
     •   Static WEP keys are not dynamically changed and therefore
         are vulnerable to attack.
     •   There is no standard method for provisioning static WEP
         keys to clients.
     •   Scalability: Compromise of a static WEP key by anyone
         exposes everyone.

    Limitations of MAC Address Filtering
     •   Attacker could spoof an allowed MAC address.




                                                                     38
Possible Solutions

    Password-based Layer 2 Authentication
     •   IEEE 802.1x PEAP/MSCHAP v2
    Certificate-based Layer 2 Authentication
     •   IEEE 802.1x EAP-TLS
    Other Options
     •   VPN Connectivity
         –   L2TP/IPsec (preferred) or PPTP
         –   Does not allow for roaming
         –   Useful when using public wireless hotspots
         –   No computer authentication or processing of computer settings in Group
             Policy
     •   IPSec
         –   Interoperability issues




                                                                                      39
WLAN Security Comparisons


                                           Ease of    Usability and
   WLAN Security Type   Security Level
                                         Deployment    Integration


 Static WEP                 Low             High          High

 IEEE 802.1X PEAP           High          Medium          High

 IEEE 802.1x TLS            High            Low           High

                            High
 VPN                                      Medium          Low
                        (L2TP/IPSec)

 IPSec                      High            Low           Low




                                                                      40
802.1x


   Defines port-based access control mechanism
    •   Works on anything, wired or wireless
    •   No special encryption key requirements

   Allows choice of authentication methods using Extensible
    Authentication Protocol (EAP)
    •   Chosen by peers at authentication time
    •   Access point doesn’t care about EAP methods

   Manages keys automatically
    •   No need to preprogram wireless encryption keys




                                                               41
802.1x on 802.11
                Wireless
                                             Access Point
                                                                        Radius Server
   Laptop Computer                            Ethernet
                     Association
                                      Access Blocked
   802.11 Associate                802.11
                                                                          RADIUS
  EAPOL-Start
                     EAP-Request/Identity
  EAP-Response/Identity                            Radius-Access-Request

                                                            Radius-Access-Challenge
                     EAP-Request

  EAP-Response   (credentials)                     Radius-Access-Request

                     EAP-Success                            Radius-Access-Accept

                                            Access Allowed
                                                                EAPOL-Key (Key)


                                                                                        42
System Requirements for 802.1x

    Client: Windows XP
    Server: Windows Server 2003 IAS
     •   Internet Authentication Service—our RADIUS server
     •   Certificate on IAS computer

    802.1x on Windows 2000
     •   Client and IAS must have SP3
     •   See KB article 313664
     •   No zero-configuration support in the client
     •   Supports only EAP-TLS and MS-CHAPv2
         –   Future EAP methods in Windows XP and Windows Server
             2003 might not be backported




                                                                   43
802.1x Setup


 1. Configure Windows Server 2003 with IAS

 2. Join a domain

 3. Enroll computer certificate

 4. Register IAS in Active Directory

 5. Configure RADIUS logging

 6. Add AP as RADIUS client

 7. Configure AP for RADIUS and 802.1x

 8. Create wireless client access policy

 9. Configure clients                        44
Access Policy

                   Policy condition
                    •   NAS-port-type matches
                        Wireless IEEE 802.11 OR
                        Wireless Other
                    •   Windows-group = <some
                        group in AD>
                        – Optional; allows administrative
                          control
                        – Should contain user and
                          computer accounts




                                                            45
Access Policy Profile

                           Profile
                            •   Time-out: 60 min. (802.11b) or
                                10 min. (802.11a/g)
                            •   No regular authentication
                                methods
                            •   EAP type: protected EAP; use
                                computer certificate
                            •   Encryption: only strongest
                                (MPPE 128-bit)
                            •   Attributes: Ignore-User-Dialin-
                                Properties = True




                                                                  46
Wireless Protected Access (WPA)

    A specification of standards-based, interoperable security enhancements that
     strongly increase the level of data protection and access control for existing
     and future wireless LAN systems
    WPA Requires 802.1x authentication for network access

    Goals
     •   Enhanced data encryption
     •   Provide user authentication
     •   Be forward compatible with 802.11i
     •   Provide non-RADIUS solution for Small/Home offices


    Wi-Fi Alliance began certification testing for interoperability on WPA products
     in February 2003




                                                                                       47
Best Practices

 Use 802.1x authentication
 Organize wireless users and computers into groups
 Apply wireless access policies using Group Policy
 Use EAP-TLS for certificate-based authentication and PEAP for
  password-based authentication
 Configure your remote access policy to support user
  authentication as well as machine authentication
 Develop a method to deal with rogue access points, such as LAN-
  based 802.1x authentication, site surveys, network monitoring, and
  user education




                                                                       48
Agenda
 Introduction

 What is the Perimeter?

 Securing with …
   • Using Microsoft Internet Security and Acceleration (ISA) Server
     to Protect Perimeters
   • Using Internet Connection Firewall (ICF) to Protect Clients
   • Protecting Wireless Networks
   • Protecting Communications by Using IPSec




                                                                       49
Overview of IPSec


    What is IP Security (IPSec)?
     •   A method to secure IP traffic
     •   Framework of open standards developed by the Internet
         Engineering Task Force (IETF)

    Why use IPSec?
     •   To ensure encrypted and authenticated communications at the IP
         layer
     •   To provide transport security that is independent of applications or
         application-layer protocols




                                                                                50
IPSec Scenarios


     Basic permit/block
      packet filtering

     Secure internal LAN
      communications

     Domain replication
      through firewalls

     VPN across untrusted
      media




                             51
Implementing IPSec Packet Filtering

    Filters for allowed and blocked traffic
    No actual negotiation of IPSec security associations
    Overlapping filters—most specific match determines action
    Does not provide stateful filtering
    Must set "NoDefaultExempt = 1" to be secure




     From IP      To IP      Protocol   Src Port   Dest Port   Action

               My Internet
      Any                      Any         N/A       N/A       Block
                   IP
               My Internet
      Any                      TCP         Any        80       Permit
                   IP

                                                                        52
Packet Filtering Is Not Sufficient to Protect
Server


 Spoofed IP packets containing queries or malicious
  content can still reach open ports through firewalls

 IPSec does not provide stateful inspection

 Many hacker tools use source ports 80, 88, 135, and so
  on, to connect to any destination port




                                                           53
Traffic Not Filtered by IPSec

    IP broadcast addresses
     •   Cannot secure to multiple receivers
    Multicast addresses
     •   From 224.0.0.0 through 239.255.255.255
    Kerberos—UDP source or destination port 88
     •   Kerberos is a secure protocol, which the Internet Key Exchange
         (IKE) negotiation service may use for authentication of other
         computers in a domain
    IKE—UDP destination port 500
     •   Required to allow IKE to negotiate parameters for IPSec security
    Windows Server 2003 configures only IKE default exemption




                                                                            54
Secure Internal Communications

 Use IPSec to provide mutual device authentication
    • Use certificates or Kerberos
    • Preshared key suitable for testing only

 Use Authentication Header (AH) to ensure packet integrity
    • AH provides packet integrity
    • AH does not encrypt, allowing for network intrusion detection

 Use Encapsulation Security Payload (ESP) to encrypt sensitive traffic
    • ESP provides packet integrity and confidentiality
    • Encryption prevents packet inspection

 Carefully plan which traffic should be secured




                                                                          55
IPSec for Domain Replication

 Use IPSec for replication through firewalls
   • On each domain controller, create an IPSec policy to secure all
     traffic to the other domain controller’s IP address

 Use ESP 3DES for encryption
 Allow traffic through the firewall:
   • UDP Port 500 (IKE)
   • IP protocol 50 (ESP)




                                                                       56
Best Practices

 Plan your IPSec implementation carefully
 Choose between AH and ESP
 Use Group Policy to implement IPSec Policies
 Consider the use of IPSec NICs
 Never use Shared Key authentication outside your test lab
 Choose between certificates and Kerberos authentication
 Use care when requiring IPSec for communications with domain
  controllers and other infrastructure servers




                                                                 57
            Demonstration 4
                   IPSec
Configuring and Testing a Simple IPSec Policy
Configuring and Testing an IPSec Packet Filter




                                                 58
Session Summary

 Introduction/Defense in Depth

 Using Perimeter Defenses

 Using ISA Server to Protect Perimeters

 Using ICF to Protect Clients

 Protecting Wireless Networks

 Protecting Networks by Using IPSec



                                           59
Next Steps

1.   Stay informed about security
        Sign up for security bulletins:
         http://www.microsoft.com/security/security_bulletins/alerts2.asp
        Get the latest Microsoft security guidance:
         http://www.microsoft.com/security/guidance/

2.   Get additional security training
        Find online and in-person training seminars:
         http://www.microsoft.com/seminar/events/security.mspx
        Find a local CTEC for hands-on training:
         http://www.microsoft.com/learning/




                                                                            60
For More Information


 Microsoft Security Site (all audiences)
   • http://www.microsoft.com/security

 TechNet Security Site (IT professionals)
   • http://www.microsoft.com/technet/security

 MSDN Security Site (developers)
   • http://msdn.microsoft.com/security




                                                 61
Questions and Answers




                        62
63

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:10/10/2011
language:English
pages:63